Cloud security compliance management functions
The objective of cloud security compliance management is to ensure that the organization is compliant with regulatory requirements (and internal policies) and efficiently tracks and reports status.
Cloud introduces changes to security compliance including:
- Requirement to validate the compliance status of the cloud provider with your regulatory requirements. This is a shared responsibility, see adopting the shared responsibility model for how these responsibilities differ for cloud types.
- Pre-cloud guidance: While many regulatory requirements have been updated to incorporate the dynamic nature of cloud services, some do not yet include this. Organizations should work with regulatory bodies to get these updated and be prepared to explain these differences during audit exercises.
- Linking compliance to risk: Ensure that organizations are tying compliance violations and exceptions to organizational risks to ensure the right level of attention and funding to correct issues.
- Tracking and reporting enabled by cloud: This function shoudl actively embrace the software defined nature of cloud as this offers comprehensive logging, configuration data, and analytical insight that make reporting on compliance more efficient than traditional on-premises approaches.
- Cloud-based compliance tools are available to facilitate easier reporting of regulatory compliance such as Microsoft Compliance Manager, which can reduce overhead costs of this function.
Team composition and key relationships
Cloud security compliance management frequently interacts with:
- Security operations
- IT operations
- Organizational compliance/risk management teams
- Audit and legal teams
- Key business leaders or their representatives
Review the function of people security.